Support Center > Search Results > SecureKnowledge Details
SandBlast Agent Deployment and Upgrade Best Practice Technical Level

Refer to the following articles before you begin

Map - Plan - Execute

Mapping of all endpoint assets is very important!

It is recommended to set the deployment rule base according to the operation of every area.

  • Deployment best practice is set to Granular deployment from few to many, and need to be controlled. It is not recommended to deploy or change deployment for the all the organization at once.
  • Installation best practice is without user interaction
  • Client upgrades must keep the same components installed, and performed after the OS related upgrades are finished successfully
  • To change installed components, either remove them before the upgrade, or after the upgrade was performed. Never change deployed components during the upgrade process
  • In case of installation or upgrade failures, perform a reboot of the machine and let it perform the installation or upgrade, don't change the installed components and there is no need to re image the machine.
  • To troubleshoot, a failed upgrade perform a client restore followed by an additional upgrade attempt

 Deployment Policy example
Deployment best practice example

Endpoint Components Recommendations and What to Do

Component Deployment Recommendations Comments
  • Never Change the EPS.msi name
  • Always deploy gradually and not all at once (refer to gradual deployment instructions in the Before you Begin section)
  • Never change installed components during an upgrade process
  • It is always recommended to upgrade to the latest released client version
  • Minimal to no user interaction is always better
Latest Endpoint releases and information can be viewed from the Endpoint Security Homepage
  • Make sure to run the latest BIOS/UEFI firmware
  • Be aware of Windows Feature Upgrades.
Refer to sk120667 - How to upgrade to Windows 10 1607 and above with FDE in-place
  • It is recommended that enterprises use Microsoft WSUS and test KB's before deploying them into the production environment.

Planning on using TPM?

Refer to sk102009 - TPM Support in Full Disk Encryption - Questions and Answers


Using SED/OPAL disks in your environment? Refer to

sk93345 - How to determine whether a UEFI machine supports SED (Opal) encryption with Check Point FDE

sk92970 - Configuring Windows for Opal 2 disks

 Capsule Docs
  • Minimize frictions and define the simplest classification/policy model that covers your needs with minimal user interactions. Configure the server to no show pop ups to users
  • It is recommended to perform all actions automatically such as: Automatic protection upon document creation and Automatic protection work flows that integrate Capsule Docs with home-grown and 3rd-party systems (such as portals, content management system, DLP and business systems such as SAP, using CD APIs)
  • Gradual and Flexible Deployment that starts with monitoring only mode followed by full enforcement 
  • Expand deployment gradually while defining default protection
  • It is recommended to use AD-Groups
  • Minimize and Control the Office versions in production and reduce the amount of different Office versions and variants in production as much as possible
  • Control Office version updates and only upgrade Office or Adobe Reader after verifying and testing functionality
It is recommended to Create your own Friendly-File using your brand, language and UX
 SandBlast Agent
  • It is Recommended to deploy all of the SandBlast Agent components and to control the policy configuration. 
Refer to sk153714-SandBlast Agent Learning Mode Configuration
  • It is possible to start with Forensics deployment alongside the existing AV solution, or with Check Point Anti-Malware solution and configure it according to the Learning mode Impactless focus configuration. 
Refer to sk153714-SandBlast Agent Learning Mode Configuration


    For SandBlast Agent Best Practice Configuration.

    Refer to sk154052 - SandBlast Agent Best Practice Configuration


    Upgrade Best Practice

    Upgrade best practice is to use the same deployment method of granular upgrades for the upgrade process as well

    Do not change installed components during upgrade, only after upgrade was successful

    • The recommended upgrade process is to upload the new client versions and to push upgrade to machines via the deployment rules. 
      • The process is to simply change the version of the client in the deployment rule to the new version and install policy. 
      • Every client that is connected to the management will receive the upgrade and will automatically download the relevant package and perform the upgrade
    • Offline upgrades are possible by creating a package for export from the new client version with the SAME components installed.
      • The process is to copy the exported package and install it on the machines that needs to be upgraded.
    • To troubleshoot, a failed upgrade perform a client restore followed by an additional upgrade attempt
    Notice that the upgrade process might create changes in behavior and might also bring new challenges. That is why it is recommended to test the upgrade on the test group and follow with granular deployment

    Upgrade best practice example

    Upgrade best practice example

    Give us Feedback
    Please rate this document